Heads up, Firefox users who rely on FTP: the browser is eliminating support for this venerable protocol.
First written in 1971, the file transfer protocol predates TCP/IP, the protocol stack that underpins the modern internet. In its original form, the protocol is insecure. For example, it transmits login credentials in plain text. In 1999, the IETF published a draft RFC listing its various shortcomings. These included everything from problems in the way it responded to invalid login attempts through to an inability to segment file permissions when using anonymous FTP (which doesn’t require user credentials at all).
Now, Mozilla is planning to turn off FTP by default in version 77 of Firefox, which will ship this June. Users will be able to turn it on again temporarily so that they can carry on using FTP from within the browser. Firefox Extended Support Release (ESR) will continue to have FTP turned on by default in ESR version 78.
The real crunch will come at the start of next year, when Michal Novotny, a software consultant at Mozilla, said that the Foundation will remove FTP code from the browser altogether. He added:
We’re doing this for security reasons. FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources.
Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.
There are more secure versions of FTP available. SSH FTP uses the secure shell protocol for FTP sessions, which is encrypted. FTP over TLS (FTPS) runs the protocol over SSL/TLS. However, Mozilla seems uninterested in supporting these.
Its reasons may be the same as Google’s, which is also deprecating FTP in Chrome. In a status report on its support for FTP, Google said that so few people use FTP in the browser that it isn’t worth the effort to improve the client.
Google announced its intent to remove the protocol from the browser in August 2019. According to its status report, it had already turned off the ability to render top-level FTP resources directly in Chrome. This means you can’t click on a picture in an FTP directory and have it appear in Chrome – instead, it downloads the image instead.
The advertising giant set a flag for controlling FTP support in version 80, leaving it enabled by default. Version 81 will see that flag set to off by default, and then version 82 will eliminate the FTP code entirely.
What should you do if you’re unwilling to abandon FTP? One option is to use a dedicated FTP client, such as the free FileZilla program, which also supports SFTP.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Kurt S
And so Long Live FileZilla!!!
Bryan
[Firefox] is eliminating support for this venerable protocol
Danny, sorry to be pedantic (pessimistic?)–but you misspelled “vulnerable.”
Steve
I’m sure he meant “venerable”, just as typed. Look it up, it fits the context perfectly.
Paul Ducklin
Bryan’s comment was satirical, methinks.
Bryan
The Bryan doth jest too much, methinks.
John Lord
I was thinking it was both vulnerable (insecure) and venerable (simply very old) at the same time :)
Who else also remembers Archie (search engine) and Gopher (protocol)? I’m still ticked at Mozilla for dropping MAFF support! I now have to use 7-zip to open and get stuff I’d saved as *.maff files from Firefox.
Bryan
Yeah, had a little fun with (vuln|ven)erable wordplay. I recall Archie and Gopher, but not MAFF. A quick search had me confused; Wikipedia’s page on MAFF_(gene) says “transcription factor MafF is a bZip Maf.”
Oh this is it… wait.
Har.
It might not be a bad idea to gather MAFF files and re-encode as .zip or .tgz, in case 7z also decides it’s time.
Paul Ducklin
I found some blurb on the mozdev site: “While the Mozilla Archive Format add-on is no longer maintained, the final version released in 2018 can be installed offline on Firefox 56 to convert saved pages to other file formats. Using outdated software can result in security vulnerabilities and may corrupt user profile data, hence this procedure should only be followed by experienced users on a separate computer that is not connected.”
Bryan
Interesting to have web file archive files on an offline computer (the mountain comes to Mohammed?), though I realize that’s not the final intent. At least they’re giving a big “at your own risk” warning with it.
MAFF sounds like a really neat idea… but I can see why it likely had little use and fell by the subsequent wayside. Seems Firefox is trying to streamline again, and that’s a good thing. A few years ago Firefox had been my favorite browser since the beginning but was becoming too memory-greedy. I therefore ditched it for Chrome, concealing myself further underneath the GoogleBrella.
As details fade with time–and as Firefox regains speed–comparing the privacy concerns of today with the (now fuzzy) memory-induced delays of 2013…it’s tough to not wish for a “do-over” on that decision. But it’s never too late to make a better decision, right?
:,)